In networking, access control lists (ACLs) are utilized by network devices (such as routers, switches, and firewalls) to permit and restrict data flows into and out of network interfaces. An ACL specifies which users or system processes may be granted access to objects, as well as what operations may be allowed on given objects. When an ACL is configured on an interface, the network device analyzes data passing through the interface, compares it to the criteria described in the ACL, and either permits the data flow or prohibits it. ACLs can generally be configured to control both inbound and outbound traffic by limiting user and device access to and from undesired addresses and/or ports. Specifically, ACLs filter network traffic by controlling whether routed packets are forwarded or blocked, typically at a router interface, although other devices can filter packets. An ACL criterion could be the source address of the traffic or the destination address of the traffic, the target port, or protocol, or some combination therein. Typically, Internet Protocol (IP) addresses serve as identifiers of the source device on an IP-based network.
Traditional access control systems use manually maintained and/or configured ACLs. However, considering that a large IP network may have tens of thousands of nodes and hundreds of routers and gateways, manual management and creation of ACLs causes numerous difficulties for such networks because of the resulting large number of ACLs. Furthermore, spatial relationships between ACLs with regard to particular traffic flow are often only known to the ACL management team, and thus traditional network ACLs exist in a vacuum between two arbitrary security domains. This leaves significant opportunity for error when performing manual ACL changes as team members may forget that a particular traffic flow is possible. In addition, manually configured ACLs bear no explicit connection to the service or environment they are tasked to protect, and removal or addition of the service on either side of the ACL has no effect on the ACL itself. These leads to significant ACL maintenance issues because unbeknownst to the ACL management team, a particular access control entry might over time become used by a new set of services.
The current disclosure discloses a system and method for automatic creation of dynamic access control lists to address the issues discussed above.